Difference between pages "User:Netbug" and "Personal Folder File (PAB, PST, OST)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(New page: = André Luiz Facina = {| border="1" |- '''André Facina'''<BR>Valinhos,SP - Brazil<BR>Gtalk: andre.luiz.facina at gmail.com<BR> |} == Contact == Languages: Brazilian Portuguese, English...)
 
 
Line 1: Line 1:
= André Luiz Facina =
+
[[Microsoft]] [[Outlook]] uses the '''Personal Folder File (PFF)''' to store e-mails, appointments, tasks, contacts, notes, etc.
  
{| border="1"
+
Three different types of the PFF are known:
|-
+
* The '''Personal Address Book (PAB)''', which contains the address book of contacts. These files have the extension '''.pab'''.
'''André Facina'''<BR>Valinhos,SP - Brazil<BR>Gtalk: andre.luiz.facina at gmail.com<BR>
+
* The '''Personal Storage Table (PST)''', which contains items like e-mails, appointments, tasks, notes, etc. and is used as current and archived mailbox files. These files have the extension '''.pst'''. The PST format is also referred to as the '''Personal Folder File (PFF)''' format.
|}
+
* The '''Offline Storage Table (OST)''', which contains items like e-mails, appointments, tasks, notes, etc. and is used as off line mailbox files in conjunction with [[Microsoft]] [[Exchange]]. These files have the extension '''.ost'''. The OST format is also referred to as the '''Offline Folder File (OFF)''' format.
  
== Contact ==
+
The underlying file format of these files is the same of which the actual name is unknown but has been dubbed the '''Personal Folder File (PFF)''' format, because of its most common usage.
Languages: Brazilian Portuguese, English
+
* '''Email''': andre.luiz.facina at gmail.com
+
  
== GPG Public Key ==
+
== MIME types ==
  
<pre>
+
The actual Mime type of the PFF format is unspecified however some sources claim the following [[MIME types]] apply to this [[file format]]:
-----BEGIN PGP PUBLIC KEY BLOCK-----
+
* application/vnd.ms-outlook (for PST files)
Version: GnuPG v2.0.7 (GNU/Linux)
+
  
mQGiBEkXD6IRBACAXdtz5a5HpA38eApEQ2EOH9bjE5CPsoCtgbVsR59u3IAwhSOs
+
== File signature ==
wotgKnXjWp9vrIxNsuEGa0X7Dh0h3yXZwpr6wfaXBXa9PIVX1T2iIwgmeQ0f2sUA
+
KLnIJP5t0Dnr8h1aiGyPMdI3buEGG2hJHdVz3sl0VyTfEB4mq1HYIYRYgwCgpiQ8
+
spsQ5ZncovTCfo6gM32df3UD/jvpqx1K0wlVOtdd3taTkzfDfrYgBmzlvCQXEMUO
+
y2m3zMezr9rAt+UaGxhrDlGzEtp3E3WRBCFjrzXGHlJ5vFwoPNPFjfRraFGsSbKt
+
Mr/k56+6CCy2eQ8irFNvQfc9dKXn3ka6eUuQhKzsbk/CC5rGd1Rer5R4G5ejcEWD
+
0mG5A/4kojTjKSvBix1jjZ5qPQiiXOE/DT+/3RgvSzMU/NrLICnIVaQO4hKMXM/T
+
HydM4SmPfWuHPT9fIPAJ1cQhgo+zV3zpqhUDQpabcITGyiGtZWi+CZ4PVKtvCWqS
+
fmGuejmujSogkDO7v4h5MJgJAAOOlw5BpIb69aYkPi8plhtmeLQwQW5kcsOpIEx1
+
aXogRmFjaW5hIDxhbmRyZS5sdWl6LmZhY2luYUBnbWFpbC5jb20+iGAEExECACAF
+
AkkXD6ICGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAfaw/VQxlBwxqWAJoD
+
xHA0kmi+GWIM0xP04ciJqrFNJwCfa1m0EF3LwK1SMjpVO5cT/VkGx8C5Ag0ESRcP
+
ohAIAPu6xYSAw+s3hciJUCN2J1bz63b01Vm0k5Vv7z48VeBaYJDRnNvfmOjPsaDg
+
FAeFSfZNuZwlz+h1uS2fFX7fDgyhQ9cNo4Ackl+ajbUWEUzQ/yriC54NmVXcQOhS
+
UkM0Swn3Lmqi+6x9TlgttejFIUZ9KPhX8hEs0aHcfgoI0GLtgetsENnlfj7bheSi
+
dXdML3FTrn9TjIRVRiSuDRfQ8bLxpaap6uWGTO7ViGcnkjjOmzxP8zn3ojWCVfQw
+
nYb3gix3xHmVC0fnGNI1lY7y+APd2Kx0FWaDoKk91XEipttXF6LZLz9fp4ReN3de
+
QBhs5xUjvEe7Uv6dZJ/0ix7fiMsAAwUIAMvclOZn8/LO/bbnSNkVRu2kgqa/UoJV
+
7fiwTnE60kAwdC8s7FHzKY1ZabbxmrxUtaKFv9n4gtY2+iOZH/tAeal7qew5I6co
+
47q7tVhmp/4oTSwxq1BfCS4qAtMewYAoXb/B6l70ANkQAVQwupjZljnVuRaZGRy3
+
+2cKUEKjWvoQNaPFjpmULCZtfq4qJ367LXWuVp560AWrjUGFwDGnaMCnx+EkgCKe
+
mafw7lYhDj63KivXR9bhIVyHwUnDdyAljcXojGRzHbQwM9F+SezaqiK70etheFk7
+
R2654JTy3iqCXAH5uKJc+nsZjehalhl1UoCYfNtHF6/tHSAEIvOLAjmISAQYEQIA
+
CQUCSRcPogIbDAAKCRAfaw/VQxlBw1i+AJiIWL/6KwO4LfHNyqDDURvorLwTAJ9c
+
HunOTPRewkD6HNvD9W9ibqGVFg==
+
=r//8
+
-----END PGP PUBLIC KEY BLOCK-----
+
  
</pre>
+
The PFF has the following file signature:
 +
hexadecimal: 21 42 44 4e
 +
ASCII: !BDN
  
----
+
== File types ==
 +
 
 +
There are a 32-bit and a 64-bit version of the PFF. These have the same file signature but can be identified by the version in the file header.
 +
 
 +
== Contents ==
 +
 
 +
The PFF basically contains a hierarchy of items. The attributes of these items are defined by the [[Microsoft]] [[Outlook]] [[Message API (MAPI)]].
 +
 
 +
== Encryption ==
 +
 
 +
The PFF format allows the file to be encrypted. Two types of encryptions are currently known these are referred to as compressible and high encryption.
 +
The compressible encryption is a basic substitution cypher and the high encryption is a little more complex substitution cypher.
 +
From a cryptographic point of view this is more a way of obfuscation than a means to protect confidentiality.
 +
 
 +
== See also==
 +
 
 +
* A great deal of information about the format has been documented by the [http://libpff.sourceforge.net libpff project], including some of the [http://downloads.sourceforge.net/libpff/Personal_Folder_File_format.pdf Personal Folder File format specifications] and [http://downloads.sourceforge.net/libpff/MAPI_definitions.pdf MAPI definitions].
 +
* [http://www.five-ten-sg.com/libpst/ libpst]
 +
 
 +
[[Category:File Formats]]

Revision as of 04:17, 31 January 2009

Microsoft Outlook uses the Personal Folder File (PFF) to store e-mails, appointments, tasks, contacts, notes, etc.

Three different types of the PFF are known:

  • The Personal Address Book (PAB), which contains the address book of contacts. These files have the extension .pab.
  • The Personal Storage Table (PST), which contains items like e-mails, appointments, tasks, notes, etc. and is used as current and archived mailbox files. These files have the extension .pst. The PST format is also referred to as the Personal Folder File (PFF) format.
  • The Offline Storage Table (OST), which contains items like e-mails, appointments, tasks, notes, etc. and is used as off line mailbox files in conjunction with Microsoft Exchange. These files have the extension .ost. The OST format is also referred to as the Offline Folder File (OFF) format.

The underlying file format of these files is the same of which the actual name is unknown but has been dubbed the Personal Folder File (PFF) format, because of its most common usage.

MIME types

The actual Mime type of the PFF format is unspecified however some sources claim the following MIME types apply to this file format:

  • application/vnd.ms-outlook (for PST files)

File signature

The PFF has the following file signature: hexadecimal: 21 42 44 4e ASCII: !BDN

File types

There are a 32-bit and a 64-bit version of the PFF. These have the same file signature but can be identified by the version in the file header.

Contents

The PFF basically contains a hierarchy of items. The attributes of these items are defined by the Microsoft Outlook Message API (MAPI).

Encryption

The PFF format allows the file to be encrypted. Two types of encryptions are currently known these are referred to as compressible and high encryption. The compressible encryption is a basic substitution cypher and the high encryption is a little more complex substitution cypher. From a cryptographic point of view this is more a way of obfuscation than a means to protect confidentiality.

See also